Case Project 3-1: Determining Vulnerabilities for a Database Server
You have interviewed Ms. Erin Roye, an IT staff member, after conducting your initial security testing of the Alexander Rocco Corporation. She informs you that the company is running an older version of Oracle’s database, Oracle 10g, for its personnel database. You decide to research whether Oracle 10g has any known vulnerabilities that you can include in your report to Ms. Roye. You don’t know whether Ms. Roye has installed any patches or software fixes; you simply want to create a report with general information.
Question 1
a. Based on this information, write a memo to Ms. Roye describing any CVEs (common vulnerabilities and exposures) or CAN (candidate) documents you found related to Oracle 10g. (Hint: A search of the CVE Web site sponsored by US-CERT, https://cve.mitre.org/, can save you a lot of time.) If you do find vulnerabilities, your memo should include recommendations and be written in a way that doesn’t generate fear or uncertainty but encourages prudent decision-making.
——————————————————————————————————————————————————————————————————————————————————————————
Case Project 3-2: Investigating Possible Vulnerabilities of Microsoft IIS 6.0
Carrell Jackson, the Web developer for Alexander Rocco Corporation, has informed you that Microsoft IIS 6.0 is used for the company’s Web site. He’s proud of the direction the Web site is taking and says it has more than 1000 hits per week. Customers can reserve hotel rooms, schedule tee times for golf courses, and make reservations at any of the facility’s many restaurants. Customers can enter their credit card information and receive confirmations via e-mail.
Question 2
a. Based on this information, write a memo to Mr. Jackson listing any technical cybersecurity alerts or known vulnerabilities of IIS 6.0. If you find vulnerabilities, your memo should include recommendations and be written in a way that doesn’t generate fear or uncertainty but encourages prudent decision-making.